COMMENT: In The Field

The Importance of Patches

By Ian Abramson

Too many companies leave their databases insufficiently protected.

If someone were to give your organization free and dependable software to improve the security and performance of your database, would you accept it? Or would you just say, “No, thanks”? Recent surveys suggest that most organizations would forgo such an offer.

In May and August 2008, Independent Oracle Users Group (IOUG) and Oracle’s Security Customer Advisory Council jointly conducted two online surveys to understand how organizations apply Oracle’s critical patch updates (CPUs) and patch sets and the general state of security in Oracle environments. The results of these surveys should send warnings to organizations that value their information assets.

The combined results of the two CPU surveys were published in the Security Patching Practices by Oracle Customers report and show that only 26 percent of organizations require applying CPUs systematically when Oracle releases them. Further, 19 percent do not have specific requirements for applying any vendor-supplied security patches, as typically recommended by IT governance frameworks such as COBIT and ISO 27001. An additional 11 percent report that their policies do not extend to Oracle patches.

Even more startling was the fact that 36 percent of organizations require justifying the use of the Oracle security patches. A small number of respondents (6 percent) also reported that the systematic application of Oracle CPUs is limited to mission-critical systems.

Next Steps

Even organizations that apply CPUs do not necessarily apply them in a timely fashion. 30 percent apply them before the next one is released; 25 percent are only one cycle late (three to six months). The rest are six to nine months late or worse. 11 percent never apply CPUs at all.

Why aren’t CPUs applied? The report demonstrates that organizational constraints, rather than negligence, are an issue in applying patches promptly. Respondents say that executive mandates (17 percent), security audits (13 percent), or requirements from security staff (6 percent) would give administrators the support they need to be more proactive with applying CPUs. Budget is also a problem. Only 28 percent of respondents reported that IT security-related spending has increased, and about 13 percent—a threefold jump from 2007—said spending decreased. The complexity of testing patches before applying them is also a major obstacle to timely compliance.

We must find a way around these constraints if we want to ensure our companies’ data integrity. Applying critical patches late—or not at all—leaves our data and our companies woefully unprotected. We must make applying security patches a priority if we are to secure our data effectively. We can do that in two ways—technically and organizationally.

On the technical side, we can take advantage of the tools that Oracle provides for evaluating, testing, and applying patches using the Oracle Enterprise Manager interface. Oracle Real Application Testing combines a workload capture and replay feature with a SQL performance analyzer to help you test changes against real-life workloads and then help you fine-tune the changes before putting them into production. Oracle Application Testing Suite lets us perform load testing, functional testing, and test management before we deploy anything. (By attending the IOUG Forum at COLLABORATE 10 in Las Vegas, Nevada, April 18 through 22, 2010, you can learn from those who have done this.) Now is the time to expand your security toolkit and learn that the implementation of technology security patches is not a task that’s too daunting to implement.

On the organizational side, IT professionals need to push our organizations to make sure that the patches get done. Do we need more executive buy-in? If so, we need to prepare our case and present it. Are security audits unsatisfactory? We can do our own checks. Are the requirements from security staff inadequate? Work with them to form newer guidelines, and then stick to them. There’s not much any one person can do about budget restrictions, but it’s everyone’s responsibility to do the most with what’s available. If applications such as Oracle Real Application Testing are in the budget, deploy them.

If we can save our companies from just one security breach, the effort will have been worth it. We owe it to our organizations to make things better despite themselves.

Ian Abramson (ian_abramson@ioug.org) is president of IOUG and an Oracle ACE focused on business intelligence and data warehousing. Based in Toronto, Canada, he is the director of the Enterprise Data Group for Thoughtcorp, a technology consulting company. He is coauthor of Oracle Database 11g Beginner’s Guide (Oracle Press, 2008).